CVE-2024-6345

Name	CVE-2024-6345
Description	A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3876-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
setuptools (PTS)	bullseye	52.0.0-4	vulnerable
	bullseye (security)	52.0.0-4+deb11u1	fixed
	bookworm	66.1.1-1	vulnerable
	trixie	74.1.2-2	fixed
	sid	75.2.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
setuptools	source	bullseye	52.0.0-4+deb11u1		DLA-3876-1
setuptools	source	(unstable)	70.3.0-2

Notes

[bookworm] - setuptools <no-dsa> (Minor issue)
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
Fixed by merge: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0 (v70.0.0)